Overwrite all content of a VM's LV before deleting it.

svn path=/trunk/packages/invirt-remote/; revision=1987

diff --git a/debian/changelog b/debian/changelog
index d57d3c3..9f0c1d7 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+invirt-remote (0.3.0) unstable; urgency=low
+
+  * Instead of immediately deleting LVs, overwrite them with zeros to
+    avoid leaking information from one VM to another.
+
+ -- Evan Broder <broder@mit.edu>  Wed, 21 Jan 2009 02:57:30 -0500
+
 invirt-remote (0.2.2) unstable; urgency=low
 
   * config.{authn[0] => kerberos}.realm

diff --git a/host/usr/sbin/invirt-lvm b/host/usr/sbin/invirt-lvm
index 6367216..22a7805 100755 (executable)
--- a/host/usr/sbin/invirt-lvm
+++ b/host/usr/sbin/invirt-lvm
@@ -1,7 +1,10 @@
 #!/usr/bin/env python
 
 import sys
-import os.path
+import time
+import os
+import random
+import string
 from subprocess import call, PIPE, Popen
 from invirt.config import structs as config
 
@@ -44,20 +47,31 @@ if subcommand == "lvremove":
     def error():
         print >>sys.stderr, "Error removing LV %s\n" % lvname
         sys.exit(1)
-    # I know this is the wrong answer, but sometimes the first
-    # lvchange -a n fails for no particularly good reason, so this is
-    # a pretty good workaround
-    call(["/sbin/lvchange", "-a", "n", lvpath])
-    rv = call(["/sbin/lvchange", "-a", "n", lvpath])
-    if rv != 0:
-        error()
-    rv = call(["/sbin/lvchange", "-a", "ey", lvpath])
-    if rv != 0:
-        error()
-    rv = call(["/sbin/lvremove", "--force", lvpath])
-    if rv != 0:
-        error()
+    
+    # Rename the LV to something else so we can wipe it before reusing
+    # the space
+    while True:
+        new_lvname = "old_%s_%s" % (lvname, ''.join(random.choice(string.ascii_letters) for i in xrange(6)))
+        new_lvpath = "/dev/%s/%s" % (vg, new_lvname)
+        p = Popen(["/sbin/lvrename", lvpath, new_lvpath], stdout=PIPE, stderr=PIPE)
+        rv = p.wait()
+        if rv == 5 and 'already exists in volume group' in p.stderr.read():
+            continue
+        elif rv != 0:
+            error()
+        else:
+            break
     ensureoff(machine)
+    
+    # Fork. The child process wipes the LV and then deletes
+    # it. There's not really anything sane to do with errors (since
+    # this is running non-interactively), so let's just drop them on
+    # the floor for now.
+    if os.fork() == 0:
+        call(["/bin/dd", "if=/dev/zero", "of=%s" % new_lvpath])
+        call(["/sbin/lvchange", "-a", "n", new_lvpath])
+        call(["/sbin/lvchange", "-a", "ey", new_lvpath])
+        call(["/sbin/lvremove", "--force", new_lvpath])
 elif subcommand == "lvresize":
     size = sys.argv[4]
     ensureoff(machine)
@@ -85,5 +99,4 @@ elif subcommand == "lvcreate":
     if rv != 0:
         print >>sys.stderr, "Error creating LV %s\n" %(lvname,)
         sys.exit(1)
-